Apparatus and methods for identity verification

ABSTRACT

An identity verification device comprises a cellular telecommunications modem and a fingerprint scanner coupled to the modem, the verification device being configured for storing first fingerprint data in an enrolment process and being operable, in response to the modem receiving a verification command via a cellular telecommunications network, to perform a verification process in which the fingerprint scanner scans a fingerprint to obtain second fingerprint data, the first and second fingerprint data are compared with each other, and in the event of a match between the first and second fingerprint data, the modem transmits a response signal to a predetermined destination via the telecommunications network. The device may be used in a networked telecommunications system in which the electronic transactions may be initiated by smart cards and other devices.

FIELD OF THE INVENTION

This invention relates to apparatus, systems, devices and methods foridentity verification.

BACKGROUND

There is need for a simple and efficient means of identifying users ofelectronic systems in order to reduce or minimise mis-use of thosesystems by unauthorised individuals.

For example, so-called identity theft and fraudulent use of credit cardsor the like is increasing so that there is a need for a means forensuring that the person involved in any particular transaction is infact the authorised person and not a fraudulent imposter.

At the present time, attempts to meet this need involve individualscarrying out security processes such as entry of codewords and codephrases which have to be memorised. As the level of security that isneeded increases, the processes which the individual has to carry out toverify his or her identity become more complex. The more complex theseprocesses are, the more time they take to carry out and the more theyare liable to fail, for example due to the individual being unable toremember the particular codes or phrases which need to be entered. Thisproblem is particularly acute where a given individual utilises a numberof different electronic systems and each system requires differentprocedures and/or formats of security codes, passwords or securityphrases.

Further, access to buildings, other forms of property or particularareas or rooms in a given building is now commonly controlledelectronically. One way of attempting to permit entry only by authorisedindividuals is the use of a tag, such as an RFID tag, which is carriedby an authorised individual and which cooperates with a tag sensor forinputting a signal to unlock a door. Another, is to provide a keypad ator near the relevant door and, to unlock the door, a code which isintended to be known only to authorised individuals has to be entered bythe keypad. However, unauthorised access can be obtained if such tagsbecome lost or stolen or the code becomes known to unauthorisedindividuals.

SUMMARY OF THE INVENTION

In order to address this problem, the present invention provides anetwork system for performing electronic transactions or processes asdefined in claim 1.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is described further by way of example with reference tothe accompanying drawings, in which:

FIG. 1 is a block diagram of a system for performing electronictransactions according to a first embodiment of the invention;

FIG. 2 is a block diagram of the main components of a verificationdevice which is included in the system of FIG. 1 and is constructed inthe form of a card incorporating a fingerprint reader;

FIG. 3 is a block diagram of an authentication module included in thesystem of FIG. 1;

FIG. 4 is a block diagram showing the main components, as relevant tothis embodiment, of a GSM modem provided on the card of FIG. 2;

FIG. 5 is a block diagram showing the contents of a data store includedin the modem of FIG. 4 and of a flash memory provided on the card shownin FIG. 2; and

FIG. 6 is a circuit diagram of a current booster circuit which may beincluded in the card shown in FIG. 2.

OVERVIEW

FIG. 1 shows a system 2 for the performance of a multiplicity ofelectronic transactions. The electronic transactions may be of differenttypes, including financial transactions, transactions providing accessto buildings or areas by electronically controlled gates or barriers,transactions providing access to physical storage locations or rooms,transactions providing access to electronically stored data andtransactions for turning on or off any kind of electrical orelectrically controlled apparatus, machinery or system. The expression“electronic transactions” is therefore used broadly herein and includesany electronic or computer implemented event or process, particularlyany event or process that may be initiated by, controlled by orauthorised by, an individual.

The system 2 comprises a plurality of conventional terminal apparatus 4for receiving data for instructing the transactions, a conventional datatransmission network 6 for connecting the terminal apparatus 4 toappropriate ones of a plurality of servers 8 for executing thetransactions, and a plurality of verification devices 10 which areregistered in the system, in a manner to be described later, torespective individuals who may request or authorise the execution oftransactions by the system 2. The servers 8 can communicate with theverification devices 10, via a conventional cellular telecommunicationsnetwork 12, for verifying the identity of individuals instructing thetransactions via the terminals 4. For this purpose, as will be describedin more detail later, the verification devices 10 comprise fingerprintreaders (not shown in FIG. 1).

Accordingly, the system 2 may comprise a large number of verificationdevices 10 and each individual whose identity is to be checked wheninstructing a transaction may be provided with a respective differentone of those devices 10.

In practice, there may be a large number of different servers 8 andterminal apparatus 4 of a large number of different types for performinga wide range of different electronic transactions. In the system 2illustrated in FIG. 1, there are five examples of different types ofterminal apparatus 4, which cooperate with appropriate ones of theservers 8, for performing five different types of transaction.

First Example of Terminal Apparatus

In a first example, the terminal apparatus 4 comprises a conventionaldevice 14 which cooperates with a conventional smart card 16, forexample by insertion of the card 16 into the device 14, for instructinga financial transaction via a local computer 18. The device 14 is forexample a point-of-sale device (POS) in a store or restaurant forpurchasing goods or an automatic teller machine (ATM) for dispensingcash, and the smart card 16 is for example a credit card, bank card ordebit card.

The card 16 may be constructed in accordance with the appropriateISO/IEC standards, and comprise a substrate of specific structure anddimensions according to the standard, an integrated circuit comprising amicroprocessor and appropriate memory storing data and programs, acircuit and contacts for connecting the card to a POS or ATM, a magneticstripe storing data, and embossed and/or other alphanumeric charactersidentifying the person to whom the card is registered and the associatedbank or other account. Instead of or in addition to electrical contacts,the card might be provided with means for wireless communication with aPOS or ATM, particularly in accordance with relevant ISO/IEC standards.

The system may comprise a large number of smart cards 16 registered, ina conventional manner, in the system to the individuals, who may bereferred to as cardholders, entitled to use them for the purchase ofgoods and services utilising bank or other accounts belonging to theindividuals. Such accounts may, as is conventional, have credit limitsapplied to them.

As is also conventional, each smart card 16 stores a Personal IdentityNumber (PIN) and the device 14 is arranged to require input, typicallyby a keyboard, of the correct PIN before a transaction can be processed.Processing to check the PIN may be performed in a conventional manner bya processor incorporated into the smart card 16 or by a processorincluded in the POS or ATM.

The device 14 is connected to a conventional local computer 18 whichtransmits, in a conventional manner, a request for authorisation for thetransaction to a bank server 43. In practice, the system 2 will includethis is all in the conventional descriptions that is correct a number ofdifferent bank servers 43, as represented diagrammatically in FIG. 1,operated by or on behalf of different banks. The request forauthorisation, accordingly, will be transmitted to the bank server 43which corresponds to the particular smart card 16 that has been insertedinto, or otherwise cooperates with, the device 14. Each bank server 43includes a transaction module 44 for performing financial transactionsand an authentication module 46 for performing authentication processes.

The transaction module 44 performs financial transactions in aconventional manner utilising a conventional card database 45 containingthe details of the cards 16 and the respective individuals to whom theyare registered. Before executing the financial transaction, thetransaction module 44 sends a command or instruction to theauthentication module 46 to cause it to verify the identity of theindividual requesting the transaction, by performing an authenticationprocess. This process utilises the verification device 10 that isregistered to the registered holder of the card 16 that has beeninserted in, or otherwise cooperates with, device 14. The authenticationprocess will be described in detail later.

If the result of the authentication process is negative the transactionis not executed and a message confirming this is sent back to the localcomputer 18 in a conventional manner, as in situations in which thetransaction is refused for other reasons, such as an inadequate creditbalance on the relevant account. If the result of the authenticationprocess is positive, the transaction module will, subject to any otherconditions such as sufficient credit in the account, execute thetransaction and the bank server 43 will send a message confirming thisback to the local computer 18 in a conventional manner.

Although in the above description, the server 43 which executes thefinancial transaction has been described as a “bank” server, in manycases the transaction may be performed by the server or servers of adifferent type of financial institution, such as a company providingcredit card services.

Second Example of Terminal Apparatus

The second example of the terminal apparatus 4 shown in FIG. 1 comprisesa conventional personal computer 20 of any type having an input device22, such as a keyboard and mouse or touch screen, operable forpurchasing goods or services via the Internet by entering, using theinput device 22, details of a conventional credit, debit or otherfinancial card 24. The card 24 may be of identical structure andfunction to the card 16 as described above, but in this example data onthe card, such as the identity of the cardholder, the number of theaccount to which the card relates and a security code, is enteredmanually into personal computer 20 rather than being read from the cardas in the first example above. Typically, such details may be enteredinto appropriate fields of a webpage downloaded to the computer 20.

Following entry into the personal computer 20 of the details of the itemor service to be purchased, the card data and a command to execute thetransaction, the personal computer 20 communicates the details of therequired transaction to a vendor server 48 which is operated by thevendor of the goods or services in question. The vendor server 48comprises a sales processing module 49 which performs, in a conventionalmanner, the electronic processes necessary for executing the sale of thegoods or services that the user wishes to purchase. However, before thesale is authorised the sales processing module 49 sends, via the datatransmission network 6, a message to the appropriate bank (or otherfinancial institution) server 43 to obtain payment for the purchase fromthe account to which the card 24 relates.

As in the first example described above, before the bank server 43executes the financial transaction necessary to make the payment, thetransaction module 44 of the bank server 43 requests the authenticationmodule 46 of the bank server 43 to perform an authentication process, asreferred to in the first example above, in which the identity of theindividual making the purchase is verified utilising the verificationdevice 10 registered to the relevant individual. As already noted, thedetails of the authentication process will be described later.

The computer 20 may also be used for effecting non-financial electronictransactions at a remote computer 51 of which, in practice, the systemwill comprise a number. Examples of such non-financial transactionsinclude updating data, such as personal details, downloading oraccessing data or documents from the remote computer or adding new dataor documents to the remote computer. Such transactions would not requirethe use of the credit card 24, or other financial card, but may requirethe individual requesting the transaction to enter appropriate data,such as a username and/or password. Further, the data that is requiredto be input might be, or might include, the user's membership number inan organisation to which the user belongs and to which the proposedtransaction relates. Such an organisation might be a professional body,a club or a customer loyalty scheme. Further, the non-financialtransaction might simply be the process of logging on to the remotecomputer 51. In yet another example, the computer 20 might be arrangedso that logging on to it is controlled by the remote computer 51, inwhich case the non-financial transaction performed by the remotecomputer 51 would be to respond to log on request from the computer 20by the transmission to the computer 20 of a command or signalauthorising or prohibiting logging on to the computer 20.

Thus, the remote computers 51 may be of a wide variety of differenttypes for performing a wide variety of different processes, and mayinclude servers of particular organisations and remote personalcomputers belonging to or assigned to the user of the computer 20. Forexample, the remote computer 51 might be an office computer or might bean email server to which the user requires access from his/her homecomputer or from some other computer such as a publicly accessiblecomputer in an Internet cafe. Thus, the computer 20 might also be any ofa variety of different types of computer located in any of a variety oflocations.

As shown in FIG. 1, the computer 51 has a conventional non-financialtransaction processor 53 for effecting the electronic transactions inquestion and a conventional database 55 containing details, such as ausername or usernames and/or passwords and/or membership numbers etc, ofindividuals entitled to request the non-financial transactions that theremote computer 51 is operable to perform. In addition, the remotecomputer 51 includes an authentication module 57.

For the performance of a transaction at the remote computer 51, the userenters the required data into computer 20 via input device 22 and thecomputer 20, in response to the entry of an appropriate command,transmits a message via network 6 to the remote computer 51 forinstructing the remote computer 51 to perform the requested transaction.Prior to executing the transaction, the processor 53 sends a request tothe authentication module 57 which performs an authentication processwhich is the same as that performed by the authentication module 46previously referred to and which (as previously indicated) will bedescribed in detail later. If the result of the authentication ispositive the transaction is executed by a processor 53 and if not thetransaction is not executed and a message to this effect is transmittedback to the computer 20.

Third Example of Terminal Apparatus

The third example of the terminal apparatus 4 comprises a conventionalcomputer 26, having an input device 28, such as a keyboard and mouse,used by an organisation, such as a government office, hospital or otherinstitution which provides services or benefits to individuals and whichrequires verification of the identity of the individual beforedispensing the services or benefits.

In use, the operator of the computer 26 manually enters, via the device28, an identification request, represented by block 30, which willinclude data identifying the individual requesting the benefits orservices.

In response to this, the computer 26 sends a message to anidentification server 50. The server 50 stores a database 52 containingthe identities of individuals having the right to receive the benefitsor services in question and comprises a transaction module 54 which,upon receipt of the request, activates an authentication module 56,which in turn carries out an authentication process the same to thatreferred to above in connection with the first example. If the identityof the individual requesting the benefit or service is verified in theauthentication process, then the operator of the computer 26 may takethe steps necessary to dispense it. If the identity is not verified,then the operator may refuse to provide the service or benefit.

This example accordingly does not involve the use of a smartcard orother card, such as cards 16 and 24, in addition to the verificationdevice 10.

In this example, the benefits or services to be provided may be any of awide variety of different forms including, for example simple access toa building or a room in a building, or a secure area, in which case theoperator of the computer 26 might be, for example, a security guard.Further, the service required might be access to electronically storeddata, in which case the operator of the computer 26 might be theindividual him/herself requiring the access, for example by means of apublicly available computer terminal constituting the computer 26 suchas in an Internet cafe.

Thus, in this example, the transaction performed by the server 50 may besimply the generation and transmission to the computer 26 of a signal ordata confirming or denying the identity whose verification has beenrequested.

Fourth Example of Terminal Apparatus

The fourth example shown in FIG. 1 of terminal apparatus 4 comprises apassport reader 32 which is operable for electronically reading apassport 34 and is connected to a local computer 36 for processing thedata read from the passport 34. The passport reader 32 and localcomputer 36 may, for example, be located at an airport or other port.

Following the reading of the passport 34, the local computer 36 may,similarly to the local computer 26, send a message to one of the servers50 requesting verification of the identity of the person who haspresented the passport 34. In this example, the database 52 will be adatabase of passports and the identities of the respective passportholders. Apart from the fact that in this example identification data isread from the passport 34 by the passport reader 32 and thereby enteredautomatically into the local computer 36, this example functions in thesame way as the third example described above.

Fifth Example of Terminal Apparatus

The fifth example of terminal apparatus 4 shown in FIG. 1 comprises abuilding access tag reader 38 connected to a local computer 40 forproviding access, for example by unlocking a door, in response to thereading by the tag reader 38 of a tag 42. The tag 42 is of conventionaltype, such as a Radio Frequency Identity (RFID) tag, issued toindividuals to give them access to premises, such as an office buildingor factory, by electrically unlocking a door upon presentation of thetag to the tag reader.

Before providing access, the local computer 40 sends a message to abuilding management server 58 which includes a database 60 of personsauthorised to enter the building, a transaction module 62 whichprocesses the request received from the local computer 40 and anauthentication module 64 which similarly to the authentication module46, is operable to verify the identity of the person presenting the tag42 utilising the appropriate one of the verification devices 10, beforeaccess to the building is provided. The system may be such that eachindividual tag 42 has an identification number, the tags beingregistered, in the database 60, to respective different individuals towhom respective different verification devices 10 are registered. Inthis case, access may be given only if the authentication processdetermines that the verification device 10 with which the authenticationprocess is performed is registered to the same individual as the tag 42presented to the tag reader.

Although, in this example, the tag has been described as for givingaccess to premises, it could alternatively or additionally be a tag forturning off an alarm system upon entering a building or secure area, inwhich case the system would not turn off the alarm unless theidentification process confirms that both the tag presented to the tagreader and the verification devices 10 used in the authenticationprocess which is initiated are registered to the same individual.

Overview of Verification Devices

As shown in FIG. 2, each of the verification devices 10 comprises arectangular substrate 66, in the form of a card, upon which are mounteda mobile telephone (cellphone) modem 68 and an associated subscriberidentity module (SIM) 70 and antenna 72, a fingerprint scanner 74, adigital signal processor 76, a flash memory unit 78, and a rechargeablebattery 80 for powering the modem 68, SIM card 70, fingerprint scanner74, digital signal processor 76 and flash memory unit 78. As isconventional, each SIM 70 has a unique telephone number.

A charging port 82, constituted by a conventional electrical connector,is mounted on the substrate 66 at one end thereof and connected to thebattery 80 for connecting the battery to a power source, such asrectified mains, for charging the battery. A programming port 84 also inthe form of an electrical connector, is also mounted on the substrate 66at one end thereof and connected to the modem for supplying to the modemcomputer executable code for programming it, in particular for loadinginto the modem computer executable instructions which program the modemfor the performance of verification processes.

The substrate 66 also supports a manually operable on/off switch 86 forconnecting the battery to, and disconnecting it from, the componentsthat it powers, and three light sources, preferably light emittingdiodes (LEDs), 88, 90 and 92 for indicating respectively three differentstatuses of the device. Thus, LED 88 may be illuminated to indicate thata process requiring the reading of the fingerprint is to take place andthe user of the card should therefore place his/her appropriate fingeron the fingerprint scanner 74. The LED 90 may be illuminated to indicatethat the process has been successful and the LED 92 may be illuminatedto indicate that the process has been unsuccessful. Preferably, the LEDs88, 90 and 92 are of different colours, which are preferably blue, greenand red respectively.

The substrate 66 and the components 68 to 92 mounted on it arepreferably constructed and arranged so that the dimensions and shape ofthe device 10 as a whole are such that it can be readily carried in awallet along with conventional credit cards. Preferably, the dimensionsand shape are as close as practicable to the size and shape of aconventional credit card. By way of example, the dimensions of thedevice 10 (i.e. the substrate 66 together with the components 68 to 92)may be approximately, for example, 85 mm×54 mm×3.5 mm. Other dimensionsare possible. To achieve these dimensions, all of the componentssupported on the substrate may be constructed to be as flat (thin) aspossible or practicable i.e. the dimensions of each component in adirection normal to the plane of the substrate 66 should be as small aspossible or practicable and they should be positioned and arranged onthe substrate 66 so as to achieve the required overall thickness of thedevice 10. For this purpose, cut-outs may be provided in the substrate66 to accommodate some or all of the components as appropriate andpractical.

The substrate may be constructed of material conventionally used forcredit cards and the like, for example a suitable synthetic plasticsmaterial.

The function of each device 10 is to receive from the authenticationmodules 46, 56, 57 and 64, via the cellular network 12, SMS messagescontaining any one of a small number of device commands, to execute thereceived device command and, when required, to send data back to therelevant authentication module by means of a return SMS message. Theremay be four such commands, each of which may be in abbreviated form inthe SMS message, as follows:

-   -   “identify user” abbreviated to “idu”    -   “enrol user” abbreviated to “enr”    -   “remove user” abbreviated to “reu”    -   “create database” abbreviated to “crd”

It will be understood that the above abbreviations are merely by way ofexample and any suitable form of coding for the commands can be used.

The identify user command is used in the authentication process. Theenrol command is used when setting up a card for use with a particularuser and the remove user command is used for deleting data relating to apreviously enrolled user from the card. The create database command isused for entering data into a database on the card in such a way that,as will be described in more detail later, a number of different sets ofdata may be stored on the card, for example each set being related to arespective different matter or item, such as a different credit, bank orother card or a different vendor or institution. Thus, a single one ofthe devices 10 registered to a single individual may be set up forverifying the identity of the individual in connection with a number ofdifferent transactions such as those described above with reference tothe servers 8.

Further details of the components of the device 10 will be describedlater, following description of the authentication modules 46, 56, 57and 64.

Authentication Modules

The authentication modules 46, 56, 57 and 64 are each as illustrated inFIG. 3.

As shown in this figure, these authentication modules each comprise adata store 100, a request processor 102 for processing requests receivedby the authentication module, a transmitter/receiver 104 which isoperable for transmitting and receiving SMS messages, and a responseprocessor 108 for processing each received SMS message. Accordingly,each authentication module has, by way of its transmitter/receiver 104,a unique telephone number.

The data store 100 contains a verification device database 110, acommand database 112, and a system password store 114.

The request processor 102 comprises an enrolment module 122 forprocessing requests for enrolling the devices 10, a verify module 123for processing verification requests received from the transactionmodules, a create database module 124 for transmitting, in response toan appropriate request, data to be stored in a database on averification device and a remove user module 126 for deleting users fromthe system in accordance with an appropriate request.

Verification Device Database

The verification device database 110 contains a plurality of records116, only a few of which are shown.

Each record 116 corresponds to a respective different one of theverification devices 10 and has a field 116 a storing data (user ID)identifying or relating to the person to whom the correspondingverification device 10 is registered, a field 116 b storing thetelephone number of the SIM 70 of the corresponding verification device10 and a field 116 c storing a response password which, as will bedescribed more fully later, is also stored on the correspondingverification device 10 and is used in the authentication process.

The same device 10 may be registered in each of a number of differentauthentication modules so that it can be used in a verification processin relation to a number of different types of transaction. In this case,the record 116 which relates to the same device 10 in each of a numberof different authentication modules will have the same phone numberstored in field 116 b. However, the response password stored for thatdevice in field 116 c in each different authentication module does nothave to be the same although optionally it can be. Similarly, althoughmost conveniently it may be that the user ID should be the same in thefield 116 a in each authentication module in which the particular device10 is registered, this is not essential.

Command Database

The command database 112 stores the device commands, referred to above,which are to be transmitted to the verification devices 10. Thus,assuming the same abbreviated commands as set out above, the commanddatabase will contain four fields each storing a respective one of thecommands:

-   -   “idu”    -   “enr”    -   “reu”    -   “crd”

As will be clear, these commands are for causing the verification device10 to execute the respective processes “identify user”, “enrol user”,“remove user” and “create database”. It is the first of these which isused in the authentication process.

System Passwords

The password which is stored in the system password store 114 may be thesame in all of the authentication modules 46, 56 and 62. In that case,there will be a single, overall system password.

Alternatively, if different banks, vendors or other institutions requiredifferent passwords from each other, respective different passwords maybe stored in the system password stores 114 of respective differentauthentication modules 46, 56 and 64. In that case, there will be asystem password unique to each such institution.

Further, some groups of institutions may wish to share a common systempassword whilst other groups share a different system password and yetother institutions may wish to have their own unique system passwords.This can easily be achieved by storing a respective group systempassword in the stores 114 of the authentication modules of eachrespective group of institutions wishing to share a password (eachdifferent group thereby having a respective unique group systempassword), whilst storing a respective different unique system passwordin the store 114 of the authentication module of each institutionrequiring a unique system password.

The way in which the system passwords are used in the verificationprocess will be described later.

Verification Request Module

The verification request module 123 is operable in response to receptionby the request processor 102 of authentication requests from therespective transaction module 44, 53, or 54 to 62. Each authenticationrequest will include a user ID that, for example, uniquely relates tothe card 16 or 24, passport 34 or tag 42 used to initiate the requestedtransaction or, in the cases of the remote computer 51 and theidentification server 50, uniquely relates to the purported identity ofthe person making the identification request 30.

Upon receipt of an authentication request, the verification requestmodule 123 searches the fields 116 a of the device database 110 tolocate the record 116 corresponding to the user ID contained in thereceived verification request.

Having located any such record, the verification module 123 extracts theverification device phone number contained in field 116 b of thatrecord, the identify user (idu) command from the commands database 112and the system password from the store 114 and forwards them to thetransmitter/receiver 104 together with a command to cause thetransmitter/receiver 104 to construct and transmit an SMS message.

SMS Messages

In response to the instruction referred to above, thetransmitter/receiver 104 constructs an SMS message 118. The SMS message118 contains as its destination phone number, the number extracted fromthe field 116 b and as its origin phone number, the unique phone numberof the transmitter/receiver 104. It also contains, as text, both thecommand “idu” and the system password. These may be separated from eachother by a suitable separator symbol. The processes performed forconstructing the SMS message are conventional and therefore need not bedescribed.

Having constructed the SMS message 118, the transmitter/receiver 104transmits it to the cellular network 12, either directly or via someother network such as network 6, and in a conventional manner thecellular network delivers the SMS message 118 to the modem 68 whose SIM70 corresponds to the destination phone number in the SMS message.

In response to receiving the SMS message 118, the modem 68 and digitalsignal processor 76 execute processes (to be described in detail later)which, dependent upon the outcome of those processes, result in a returnSMS message 120 (FIG. 3) being transmitted from the device 10 back tothe authentication module from which the SMS message 118 originated.Thus, the return SMS message 120 contains, as the destination phonenumber, the unique phone number of the transmitter/receiver 104 fromwhich the received SMS message 118 originated and, as the origin phonenumber, the phone number of the SIM 70 of the modem 68 which receivedthe SMS message 118. The return SMS message 120 also contains, as text,a response password which is stored in the device 10, as will bedescribed more fully later.

The transmitter/receiver 104 that receives the return SMS message 120forwards the return SMS message to the response processor 108.

Response Processor 108

The response processor 108, upon receipt of the return SMS message 120,searches the device database 110 for a record 116 whose fields 116 b and116 c respectively contain a phone number and response passwordcorresponding to the origin phone number and response password containedin the return SMS message 120. If such a record is found, the responseprocessor 108 transmits a message to the respective transaction module44, 53, 54 or 62 indicating that the verification process has given apositive result. In response to this, the transaction module executesthe requested transaction.

In the event that the search of the device database 110 performed by theresponse processor 108 does not locate a record 116 in which both phonenumber in field 116 b and the response password in field 116 c match theorigin phone number and the response password in the return SMS message120, the response processor 108 transmits a message to the respectivetransaction module indicating that the verification process has failed.In this case, the transaction processor does not execute the requestedtransaction.

Similarly, if the response processor 108 does not receive a return SMSmessage within a predetermined period of time following the transmissionof the outgoing SMS message 118, the response processor 108 transmits amessage to the respective transaction module indicating that theverification process has failed.

Enrolment Processor

The enrolment processor 122 is operable to execute an enrolment processin which relevant data relating to a new user are supplied to, andstored in, the authentication module and a verification device 10assigned to the new user.

The enrolment processor 122 operates in response to enrolment requests,entered into the system in any suitable manner, for example by themanual entry of the data required for enrolment into a terminal (notshown). Alternatively, some or all of the required data may beincorporated automatically into an enrolment request for example usingdata in the databases 45, 52, 55 or 60 as appropriate. The enrolmentrequest includes the user ID, the phone number of the SIM 70 of thedevice 10 assigned to him/her and a response password which may berandomly or otherwise selected.

In response to an enrolment request, the enrolment processor 122creates, in the device database 110, a new record 116 and inserts theuser ID, phone number and response password in the respective fields 116a, 116 b and 116 c thereof. The enrolment processor 122 also transfersthis data to the transmitter/receiver 104 together with the systempassword extracted from store 114 and the enrolment command “enr”extracted from the command database 112. In response,transmitter/receiver 104 constructs an SMS message 118 in which thedestination phone number is the phone number contained in the enrolmentrequest and the enrolment command, system password and response passwordare included as text, with appropriate separators between them ifrequired. The SMS message 118 is then transmitted, directly or via someother network, to the cellular network 12.

Upon receipt of the SMS message 118 containing the enrolment command,the device 70 carries out an enrolment process which will be describedlater.

Database Creation Processor

As will be described later, each of the verification devices isprogrammed for storing data of a number of different types in respectivedifferent memory blocks. The create database processor 124 included inthe request processor 102 of each authentication module is operable forprocessing database creation requests entered into the system in anysuitable manner as described with reference to the entry of enrolmentrequests. The database creation request includes the user IDcorresponding to the device 10 on which the database is to be created,the identity of the memory block in which it is to be stored in thedevice 10 and the data that is to be stored.

In response to receiving a database creation request, the processor 124searches the device database 110 to find the record 116 corresponding tothe user ID in the database creation request and transfers, to thetransmitter/receiver 104, the phone number from the field 116 b of thelocated record together with the create database command “crd” extractedfrom the command database 112, the system password extracted from store114 and the data that is to be transferred to the device 10. In responseto this, the transmitter/receiver 104 constructs an SMS message 118 inwhich the destination phone number is the phone number transferred to itby the create database processor 124 and in which the create databasecommand, the system password and the data in the create database requestare contained as text, again with separators as required.

If necessary, due to the amount of data to be transferred, thetransmitter/receiver 104 may split up the data into segments which aretransmitted in separate SMS messages.

The way in which the data is stored in the device 10 will be describedlater. After storage of the data in the device 10, the device 10 maysend a return SMS message (not shown) to the relevant authenticationmodule and the response processor 108 thereof may then output dataindicating that enrolment has taken place.

User Removal Processor

The remove user processor 126 which is operable to perform a process inwhich details of the previously enrolled user, and data relating to thatuser, are removed from the authentication module and from the device 10corresponding to that user.

A remove user request includes the user ID and in response to therequest, the processor 126 searches the device database 110 for thecorresponding record 116, extracts the phone number from the field 116 bthereof and transfers that phone number to the transmitter/receiver 104together with the remove user command “reu” extracted from the commanddatabase 112 and the system password extracted from the store 114.

The transmitter/receiver 104 constructs an SMS message 118 in which thephone number extracted from device database 110 is the destination phonenumber and the remove user command and system password are contained astext, if desired or necessary, separated by an appropriate separatorcharacter. The SMS message 118 is then transmitted to the cellularnetwork 12 directly or via another network.

Upon receipt of the SMS message, the device 10 removes all data relatingto the user and sends a return SMS message (not shown) to theauthentication module in question. The response processor 108, uponreceipt of this return SMS message, deletes the relevant record 116 andmay output data indicating that the user has been deleted.

Modem

The modem 68, which is shown in more detail in FIG. 4, is ofconventional construction, but modified to include additionalfunctionality to enable the modem 68, fingerprint scanner 74 and DSP 76to execute the processes required in this embodiment of the invention.

Thus, FIG. 4 indicates at 140 a number of the conventional modulesincluded in the GSM or cell phone modems, in particular a radio manager142 for managing incoming and outgoing radio signals from and to thecellphone network 6, a SIM manager 144 for managing communicationsbetween the modem 68 and the SIM card 70, an SMS reception module 146for processing incoming SMS messages and an SMS assembly module 148 forassembling and processing outgoing SMS messages. In practice, the modem68 will include a large number of other conventional circuits andcontrol modules, which may comprise software firmware or hardwiredcircuitry, but it is not necessary to describe these for the purpose ofunderstanding the present embodiment of the invention.

To provide the functionality required by this embodiment of theinvention, the modem 68 is configured to provide a data store 150(illustrated in detail in FIG. 5) for storing data relating to users ofthe device 10, a set of control modules 152, 154, 156 and 158 each forresponding to a respective one of the commands received by the modemfrom the authentication modules, and an encrypted data handler 160. Theencrypted data handler 160 comprises an encryption key generator 162 forgenerating encryption keys in a manner which will be described later, anencryptor 164 for encrypting data using those keys, a decryptor 166 fordecrypting the data so encrypted and a comparator 168 for performingcomparison operations on encrypted data as will be described later.

A DSP communications manager 170 controls communication between themodem 68 and the digital signal processor 76.

Modem Data Store and Flash Memory

With Reference to FIG. 5, the data store 150 comprises a data register180 which is divided into a number of data blocks indicated as Block 1to Block n each of which is for storing data related to a different typeof transaction that the system 2 is operable to perform. By way ofexample the data in Blocks 1 to 5 may relate respectively totransactions by a particular bank, American Express transactions, Visatransactions, transactions in a particular loyalty scheme and pensionbenefits transactions. In this embodiment, therefore, each of the dataBlocks 1 to n in register 180 corresponds to a respective different oneof the authentication modules or, expressed differently, corresponds toa respective different service or type of transaction with which theverification device 10 may be used.

Each of the Blocks 1 to n in data register 180 has a field 180 a forstoring the system password of the corresponding authentication modulei.e. the system password stored in store 114 thereof. Accordingly, thesystem password which is stored in different ones of the Blocks 1 to nwill be the same as, or different from, each other dependent uponwhether the authentication modules all use the same system password orwhether different authentication modules use different system passwords,as described above.

Each Block 1 to n in data register 180 also has a field 180 b forstoring the response password of the device 10 as registered in thedevice database 110 of the corresponding authentication module, i.e. theresponse password stored in each of Blocks 1 to n is the same as theresponse password stored in the field 116 c of the record 116 thatcorresponds to the user to whom the respective device 10 is registered.However, the response passwords stored in different ones of the Blocks 1to n may be different from each other because the same device 10 may beregistered in the device databases 110 of each of a number of differentauthentication modules, and different authentication modules may usedifferent response passwords for the same device 10, as alreadydescribed above.

In addition, each of Blocks 1 to n in the data register 180 has a memoryarea 180 c, which may be of variable size, for storing further datawhich might be required by different services or organisations, or inrelation to different types of transactions or in cases where particularauthentication modules might be set up to require additional data to bereturned following a successful fingerprint verification process.

Some or all of the data in the data register 180 may be encrypted.

The data store 150 also contains an encrypted fingerprint register 190which is divided into a number of different blocks which are alsolabelled as Blocks 1 to n so as to indicate correspondence between theblocks in register 180 and the blocks in register 190. Each of theBlocks 1 to n in register 190 is for containing a respective differentencrypted fingerprint template, each of which is to be used in averification process and each of which may be used for decrypting datafrom the corresponding block in data register 180. In general, eachverification device 10 will be registered to a single user andaccordingly the encrypted fingerprint register 190 may be configured forstoring up to 10 encrypted fingerprint templates, one for eachfinger/thumb, so that different fingers/thumbs can be used for obtainingdata from the respective different block in data register 180. In casesin which more than 10 data blocks are required in data register 180, oneor more of the blocks in encrypted fingerprint register 190 may eachcorrespond to 2 or more data blocks in the register 180.

The flash memory 78 is of conventional construction and is used forstoring unencrypted fingerprint templates generated by the DSP 76 fromdata received from the fingerprint scanner 74, which is also ofconventional construction. The unencrypted fingerprint templates arestored in the flash memory 78 in locations which are also indicated inFIG. 5 as Blocks 1 to n so as to represent correspondence with theBlocks 1 to n of the encrypted fingerprint register 190. The remainderof the flash memory 78 is filled with, or at least partly filled with,“dummy” bytes of data so that it would be impossible, or at leastdifficult, to determine from a readout of the contents of the flashmemory which data represents the unencrypted fingerprint templates. Thevalues of the “dummy bytes” may be generated by a random or pseudorandomnumber generator. In practice, the flash memory 78 may be completelypopulated with dummy bytes when formatted prior to use, in which casethe dummy bytes would be overwritten in memory locations in whichfingerprint templates are stored.

To increase the difficulty in locating the fingerprint templates from areadout of the contents of the flash memory 78, Blocks 1 to n in theflash memory 78 may be in disparate memory locations and the capacity ofthe flash memory 78 may be substantially greater than that needed forthe storage of the data in registers 180 and encrypted fingerprinttemplates in register 190.

Further, although, for simplicity, each Block in flash memory 78 hasbeen drawn as if the bytes representing each respective fingerprinttemplate are stored in a continuous block of memory locations i.e. insequential memory positions, this is not essential. For example, foradded security each fingerprint template may be broken up into a numberof smaller components and the smaller components stored in disparatememory locations.

By way of numerical example, flash memory 78 may have a capacity of 64kilobytes and each fingerprint template may be made up of 1000 bytes. Inlight of the above explanation, the 1000 bytes that make up a givenfingerprint template may be stored in sequential memory locations oralternatively may be broken up into a number of components and thecomponents stored at disparate memory locations. For example, eachcomponent may consist of a single byte in which case the template wouldbe stored in 1000 disparate one byte memory locations. Alternatively,each component may consist of two or more bytes, and all of thecomponents may be made up of the same number of bytes or differentcomponents could be made up of different numbers of bytes.

Enrolment Process

In response to receipt by modem 68 of an SMS message containing anenrolment command, the card enrol module 152 of the modem is called intooperation. This causes the LED 88 (preferably blue) to be energised andcauses the DSP communications manager 170 to send a command to the DSP76 to initiate a fingerprint reading operation utilising the fingerprintscanner 74.

The fingerprint scanner 74 is conventional and the DSP 76 is aconventional integrated circuit chip programmed in a conventional mannerfor deriving fingerprint templates from the data provided by the scanner74 and storing the resulting templates in the flash memory 78. As iswell known, a fingerprint template is a set of digital data representingor derived from the minutiae in fingerprints in such a way as touniquely or substantially uniquely represent the fingerprint in adataset of modest size. In practice, each template which is stored isbased upon an average of a number of scans of the same finger, forexample three scans. The DSP 76 and fingerprint scanner 74 are arrangedto function accordingly and, thus, following detection in a conventionalmanner of a finger placed upon the fingerprint scanner 74, the scanner74 performs the required number of scans and the DSP 76 computes anaveraged fingerprint template and stores it in the flash memory 78.Assuming that this is the first enrolment, for simplicity of descriptionit will be assumed that this fingerprint template is stored in Block 1in the flash memory as unencrypted fingerprint template FP 1.

The card enrol module 152 thereafter calls into operation the encryptionkey generator 162 which derives an encryption key from the unencryptedfingerprint template FP 1. The algorithm for generating the encryptionkey may be any suitable known algorithm. Using the encryption key soderived, the encryptor 164 encrypts the averaged fingerprint template FP1 and stores the result in Block 1 of the encrypted fingerprint register190. The encryption algorithm executed by encryptor 164 may be anysuitable known encryption algorithm.

As already described above, the SMS message containing the enrol commandalso includes the system password of the authentication modulerequesting the enrolment and the response password from the relevantrecord 116 of that authentication module. In this embodiment, it will beassumed that the system password is stored in unencrypted form in field180 a of the relevant Block in register 180, but that the encryptor 164encrypts the response password using the same encryption key and sameencryption algorithm as used for encrypting the averaged fingerprinttemplate and that the resulting encrypted response password in field 180b of Block 1 of data register 180. In other embodiments, the systempassword might also be encrypted in the same way for storage in field180 a.

Following successful completion of the enrolment process, the cardenrolment module 152 causes the green LED 90 to be illuminated. If it isunsuccessful the red LED 92 will be illuminated and the enrolmentprocess can be initiated again. If several attempts at enrolment fail,then the operator of the system may investigate the cause of the error.

Subsequent enrolment processes for enrolling the same device 10 for theperformance of authentication processes by different ones of theauthentication modules are performed in a similar manner. However, theuser selects a different finger for each successive enrolment processand the data derived from each successive process is stored in eachsuccessive Block respectively in the flash memory 78, the encryptedfingerprint register 190 and the data register 180. Hence, the user ofthe device 10 will use a different finger/thumb for the verificationprocesses performed by the different authentication modules, as alreadymentioned.

Verification Process

Following enrolment, the device 10 may be used in a verification processfor verifying the identity of the individual requesting the relevanttransaction.

In response to the modem 68 receiving an SMS message 118 (FIG. 3)containing an identify user command, the verify fingerprint module 156is called into operation. The verify fingerprint module 156 firstlychecks the system password contained in the received SMS message 118against the system passwords stored in register 180, assuming that thosestored system passwords are in unencrypted form. If a match is notfound, this indicates that the SMS message 118 is not valid and theverify fingerprint module 156 terminates the processing.

If a match between the system password in the received SMS message 118and one of the system password stored in register 180 is found, thereceived SMS message 118 is taken to be valid and the verify fingerprintmodule 156 causes the blue LED 88 to be illuminated to indicate to theuser that the device 10 is about to perform a fingerprint readingprocess. The person requesting the transaction will know whichtransaction he is requesting and, if he is also the person to whom oneof the devices 10 is registered, he will know which finger he presentedto the fingerprint scanner 74 when enrolling the device in respect ofeach of the relevant transactions. Thus, upon illumination of the blueLED 88, the user of the device 10 will, if he/she is the personrequesting the transaction, place the appropriate finger or thumb on thefingerprint scanner 74.

In response to this, and an appropriate command from the verifyfingerprint module 156, the DSP 76 will derive an averaged fingerprinttemplate, using the same process as described previously.

As is well known, it is unlikely that any two scans of the samefingerprint by a fingerprint reader will produce identical fingerprintdata, for example because the user may apply different pressure throughhis finger thereby distorting the shape of his finger differently, theangle at which his finger is positioned may differ or there may bedamage to the skin of his finger that was or was not present for both ofthe scans. As a consequence, it is unlikely that any two fingerprinttemplates derived from the same finger will be the same or that any twoaveraged fingerprint templates derived from the same finger will be thesame. However, the averaged fingerprint templates will be sufficientlysimilar to enable the newly derived averaged fingerprint template to bematched to the fingerprint template stored in the flash memory 78 in theenrolment process.

Accordingly, in a conventional manner, the DSP 76 searches the flashmemory 78 for a match to the newly derived averaged fingerprinttemplate. If it does not find a match, DSP 76 sends a signal indicatingthis to the modem 68 and the verify fingerprint module terminates theprocess at that point. As a result, an SMS message 120 (FIG. 3) will notbe returned to the authentication module and the authentication modulewill indicate to the respective transaction processor that theverification process has failed. In those circumstances the transactionmay not be authorised.

Accordingly, in a conventional manner, the DSP 76 searches the flashmemory 78 for a match to the newly derived averaged fingerprinttemplate. In so doing, the DSP 76 may limit its search to the specificaddress locations in flash memory 78 in which fingerprint templates havebeen stored in the enrolment processes. Alternatively, this search maybe conducted through the whole of flash memory 78. In embodiments inwhich, as previously described, each fingerprint template is broken upinto components which are stored in disparate locations, the DSP 76 mayreassemble each template from its components in order to enable matchingprocess to take place, or alternatively it may compare the newly derivedaveraged fingerprint template component by component with the componentsof each previously stored template until a match is found.

If the DSP 76 finds a match between the newly derived averagedfingerprint template and a previously stored template in the flashmemory 78, the DSP 76 sends a message indicating this to the modem 68,in response to which the modem 68 may construct and send an SMS message120 (FIG. 3) back to the relevant authentication module. This SMSmessage must, as previously explained, contain the appropriate responsepassword. However, the response passwords are stored in encrypted formin the respective Block 1 to n of data register 180. Accordingly, beforethe return SMS message 120 can be constructed it is necessary to decryptthe relevant response password and any further encrypted data which isto be returned in the SMS message 120.

The encryption key derived from the averaged fingerprint template in theenrolment process is not saved, for security reasons. Consequently it isnecessary to derive a new and identical encryption key in order todecrypt the data in the data register 180. Whilst the newly derivedaveraged fingerprint template is sufficiently similar to the previouslystored fingerprint template in the flash memory 78 to enable matching totake place for the purpose of verifying the fingerprint, it is not, asis well known, sufficiently similar to enable an identical encryptionkey to be derived.

Thus, in the present embodiment, the previously stored fingerprinttemplate in flash memory 78 which has been found to match the newlyderived averaged fingerprint template is accessed by the verifyfingerprint module 156 which then causes the key generator 162 togenerate a new encryption key derived from the previously storedfingerprint template in the flash memory 78. Since this is the same asthe fingerprint template used to derive the encryption key in theenrolment process, the newly derived encryption key will be identicaland is used by the decryptor 166 to decrypt the response password storedin the relevant block 1 to n of data register 180 so that the decryptedresponse password may be inserted into the return SMS 120.

However, before carrying out this process and as a double securitycheck, the previously stored fingerprint template is also encrypted withthe newly derived encryption key and, utilising compare module 168, itis compared with encrypted fingerprint templates stored in the Blocks 1to n of the encrypted template register 190, to determine if a match canbe found. If a match is found, the verify fingerprint module 156instructs the SMS assembler 148 to assemble the SMS message 120 andtransmit it to authentication module from which the received SMS message118 originated. As an alternative to this process, the newly derivedencryption key may be used to decrypt the encrypted fingerprint templatein the appropriate block in register 190 and the comparator 168 used tocompare this decrypted fingerprint template with the averagedfingerprint template which is stored in flash memory 78 and has beenidentified by the DSP 76 during the verification process.

In either case, if the comparator 168 does not find a match in theencrypted fingerprint register 190, the verification process isterminated and the red LED 92 illuminated to indicate failure of theverification process. As a result, no SMS message will be returned tothe authentication module, and the response processor thereof will senda message to the relevant transaction module indicating that theverification process has failed.

If the comparator 168 does find a match, the green LED 90 is illuminatedto indicate this and an SMS message 120 is assembled by the SMSassembler 148 in the modem and returned to the relevant authenticationmodule utilising the origin phone number in the received SMS message118. The response processor in the authentication module will indicateto the relevant transaction module that the verification process hasbeen successful.

Create Database

When the modem 68 receives an SMS message 118 containing a createdatabase command, as previously described, the store data module 154 ofthe modem is called into operation.

Using the system password in the received email, the stored data module154 identifies the Block of register 180 into which the data containedin the received SMS message is to be inserted. However, before storingthat data, the store data module 154 causes the fingerprint scanner 74and DSP 76 to carry out a fingerprint verification process as previouslydescribed. This process includes the derivation of a new encryption keyfrom the previously stored averaged fingerprint template in the flashmemory 78. This newly derived encryption key is used as previouslydescribed to double check the verification utilising the encryptedfingerprint templates stored in register 190. If the data to be storedin data register 182 is to be encrypted, the newly derived encrypted keyis used for this purpose with the same encryption algorithm as referredto above.

Remove User

In response to receiving an SMS message 118 containing a remove usercommand, the remove user module 126 is called into operation. This againcarries out a similar fingerprint verification process and if this issuccessful the relevant data is removed from register 180. The removeuser module 126 may be arranged either to remove all data from theregister 180 and the register 190, and all prestored averagedfingerprint templates from the flash memory 78. Alternatively, it may bearranged so that it only removes a selected block or blocks of data fromthe register 180 and 190 and the corresponding prestored averagedfingerprint template or templates from the flash memory 78.

Current Booster

As explained above, each verification device 10 is, in this embodiment,constructed as a slim card which can easily be carried in a wallet, inparticular it is intolerable for the device to be a card of generallysimilar size, shape and thickness to a conventional credit card or thelike. As a result, there is limited space available for a battery. Thesmaller the physical size of the battery, the less capacity it has andthe shorter will be the period for which it can supply adequate powerbefore requiring recharging. In order to extend this period, each device10 preferably includes a current booster as shown in the circuit diagramof FIG. 6.

As shown in FIG. 6, the positive terminal of the battery 80 is connectedthrough a diode D1 to the positive power supply terminal V+ of each ofthe modem 68, the DSP 76 and the fingerprint scanner 74. The negativepower supply terminal V− and the negative terminal of the battery 80 areconnected to ground. A bank of 100 μF smoothing capacitors C1 to C6 isconnected across the battery, the capacitors C1 to C6 being in parallelwith each other.

To keep the battery as physically small as possible, it may, on its own,only be able to provide sufficient current to the modem 68 for the modem68 to remain in communication with a base station of the cellularnetwork, after communication with the base station has been established.However, GSM or cell phone modems typically require more current whensearching for a base station, and the battery 80 may be insufficient onits own to provide this.

To enable battery 80 which, due to its small size and rating, would notdeliver sufficient current on its own to power the modem 68 when themodem 68 is searching for a base station, a current booster circuit 100is included and this is switched into operation when the modem 68 issearching for a base station and is switched off during periods when themodem has found and is in communication with a base station.

Conventional GSM or cell phone modems such as modem 68 are provided witha status pin, indicated at 102 in FIG. 6 which are at a relatively highvoltage, typically about 3V, when the modem is already in communicationwith a base station, but the voltage of the status pin drops, typicallyto approximately 2 volts when the modem is searching for a base station.Conventionally, the voltage on the status pin is used to activate anindicator on the cell phone display to indicate whether or not the modemis in communication with a base station.

In the circuit of FIG. 6, the voltage on the status pin 102 is used fortwo purposes. Firstly, it is used for switching the current booster intoand out of operation. Secondly, it is used to provide an input voltageto the current booster 100 from which additional current is generatedfor supply to the modem 68 when it is searching for a base station.

Thus, current booster circuit 100 has its positive power input terminal104 connected through resistor R3 to the status pin 102 and its negativepower input terminal 106 connected via NPN transistor T1 to groundthrough a diode D3. The transistor T1 acts as a switch so that thecurrent booster 100 is powered down (switched off) when the status pinvoltage is high, but is powered up (switched on) when the status pinvoltage is low. For this purpose, a voltage sensing circuit 108 sensesthe voltage on the status pin 102 and turns the transistor T1 on or offaccordingly.

As can be seen in FIG. 6, the sensing circuit includes a resistor R2through which the status pin 102 is connected to the base of transistorT1, and the Zener diode D4 in series with a resistor R1 through whichthe status pin 102 is connected to ground. The breakdown voltage of theZener diode D4 is approximately 2V so that when the status pin voltageis high the Zener diode D4 conducts and the NPN transistor T1 is turnedoff. When the status pin voltage goes low, such that the Zener diode D4ceases to conduct, current flows into the base of the NPN transistor T1from the status pin causing the NPN transistor T1 to be turned on T1.

When the transistor T1 turns on, power is supplied to the power inputterminals 104 and 106 of the current booster 100 which then suppliescurrent from its output terminal 110 through diode D2 to the V+ inputterminal of the modem 68. The currents through the diodes D1 and D2 aresummed at junction 112.

Thus, when the modem 68 is already in communication with a base stationand requires a relatively low level of current to power it, this issupplied from the battery 80 via diode D1. When the modem 68 issearching for a base station and requires additional current, this issupplied from the current booster 100 via the diode D2.

The current booster circuit 100 may be a conventional voltage converteroperable to approximately double an applied input voltage, such as MAX680, as indicated in FIG. 6. Thus, in the circuit as shown in FIG. 6,when the current booster circuit 100 is turned on it produces, from theapproximate 2 volts applied to it from the status pin 102, a voltage ofapproximately 4 V which in turn provides the additional current suppliedto the modem 68 through the diode D2.

By way of example, the battery may be rated at, say, 3.2 V or 3.5 V and200 mA hours and the resisters may have the values shown on FIG. 6.However, these are mere examples and in practice values will be chosento suit the particular components which are used in the verificationdevice 10.

Modifications

Although FIG. 6 shows the details of the particular circuit forproviding this additional current, at the circuits are possible. Thus,this aspect of the invention extends to different forms of circuitwhich, in response to the modem being in a condition in which it issearching for a base station, supplies additional current to the modem.Accordingly, with such an arrangement, it is possible to use a smallbattery of low rating for powering the modem and other circuitry on thedevice 10.

Further, although in the embodiment described and illustrated in theaccompanying drawings the current booster is shown as applied to averification device in the form of a card, it may alternatively beapplied to any device utilising a modem for communication with a mobiletelephone or cell phone network, particularly where the device is suchthat it is desirable to employ a battery which is a small as possible.Examples of such other devices are mobile telephones themselves.

Further, although one particular circuit has been illustrated in FIG. 6,other forms of circuit are possible, particularly any circuit comprisinga battery, a modem status detection circuit for detecting whether themodem is in communication with a base station or is searching for a basestation, a current or voltage booster, and a switching circuitcontrolled by the detection circuit for switching the current or voltagebooster into and out of operation such that the booster providesadditional current to the modem when it is searching for a base station.

Although the embodiment of the invention described with reference to thedrawings incorporates a fingerprint scanner for verifying the identityof the user, alternative embodiments of the invention may employ otherforms of biometric sensor, such as an iris sensor.

Although in the embodiment illustrated in the drawings, the devicedatabase 110 is provided in the authentication module in each differentserver, the device database could be incorporated into the conventionaldatabase or databases (for example databases 45, 52, 60 and 55 shown inFIG. 1) that contain details of smart cards or other devices with whichthe verification devices are to be used.

Although in the embodiment described with reference to the drawings theresponse to a successful verification by a verification device 10 istransmitted back to the telephone number of the server which initiatedthe verification process, this is not essential. Alternatively, it wouldbe possible to include in the SMS message 118 and alternative telephonenumber to which the response should be transmitted or each verificationdevice could store the telephone number or numbers to which responseshave to be transmitted. There could be a different telephone number towhich the responses would be transmitted corresponding to each of theBlocks 1 to n.

Although, in the embodiment described with reference to and asillustrated in the drawings, the verification, encryption and decryptionprocesses have all taken place on the device in the form of a cardsimilar to a conventional credit card, this feature of the invention isalso applicable to other forms of device or system. For example, thefunctionality described with reference to FIGS. 4 and 5 could beprovided on some other type of device which incorporates a fingerprintreader, such as a computer or a mobile telecommunications device, forexample a smart phone or tablet computer.

Further, although in the illustrated embodiment, the data register'sstores 180, 78 and 190 have all been provided on the card itself, otherarrangements are possible particularly if the verification device takesa form other than a card. For example, in a networked system, theunencrypted fingerprint templates which in the embodiment are stored inflash memory 78 could instead be stored on a central server and theprocessing for fingerprint verification and/or for encryption anddecryption of data could be partly done at the central server utilisingthe unencrypted fingerprint templates stored thereat.

It should also be understood that the process of encrypting anddecrypting data which has been described, in which unencryptedfingerprint template data is stored in a memory containing a substantialnumber of random data bytes or other data unrelated to the templates,and the unencrypted fingerprint template data is used for regenerationof an encryption or decryption key, may be used in any encryption anddecryption system which utilises an encryption and/or decryption keyderived from the fingerprint template.

Architectures for the card and its components which differ from thatshown in the accompanying drawings are possible. For example, thedigital signal processor and fingerprint scanner could be incorporatedinto a single integrated unit.

As previously explained, the invention has wide application. It may beused for a large number of different purposes, in particular in relationto a large number of different situations in which different types ofelectronic transaction will take place.

Examples transactions and purposes for which the invention may be usedare as follows:

-   -   POS/ATM Transactions    -   Building Security    -   Driver's License    -   Airport ID/Access    -   Hotel Room Access and Billing    -   Hospital    -   On line Gaming    -   Downloaded entertainment    -   Download Documents    -   Credit Rating    -   Birth Certificate    -   Computer Access/Login    -   Electronic Wallet    -   Emergency Medical Information    -   Other Licenses    -   Government & Military Facility Access    -   Medical care    -   Membership Cards (clubs)    -   Loyalty Cards (airmiles)    -   Verification of Deliveries    -   Benefits Card    -   Parking Access    -   Passport    -   Port ID/Access    -   Proof of Insurance/Policy    -   Social Security Card    -   Visa or Entry/Exit of a border    -   Voter Registration Card    -   Food Stamp Card

A separate enrolment process may take place in relation to each purposefor which the card is to be used.

Although, the identification requesting computer 26, computer 20, localcomputer 18, 36, 40, remote computer 51, vendor server 48, bank server43, identification server 50 and building management server 58 are eachillustrated in the accompanying drawings as one computer, they mayalternatively each be implemented as a number of computers. If more thanone computer they may be connected in a computer network. A computer maybe of any one or more of a number of types such as a desktop computer, alaptop computer, a netbook computer, a handheld computer, a tabletcomputer, a notebook computer, a personal digital assistant (PDA), aserver, a workstation, a cellular telephone, a smartphone, a mobilecomputing device, an Internet appliance, a point-to-point (PtP) networkof bus agents, such as microprocessors, that communicate via bus signalsdedicated to each agent on the PtP network or any other type ofcomputing device.

In the following claims, the word “finger” is used to be generic to bothfingers and thumbs.

A number of further aspects of the invention are defined in thefollowing clauses A to H.

A. A verification device comprising a cellular telecommunications modemand a fingerprint scanner coupled to the modem, the verification devicebeing configured for storing first fingerprint data in an enrolmentprocess and being operable, in response to the modem receiving averification command via a cellular telecommunications network, toperform a verification process in which:

-   (a) the fingerprint scanner scans a fingerprint to obtain second    fingerprint data,-   (b) the first and second fingerprint data are compared with each    other, and-   (c) in the event of a match between the first and second fingerprint    data, the modem transmits a response signal to a predetermined    destination via the telecommunications network.

B. A telecommunications network system for performing an electronictransaction or process comprising:

one or more terminals operable for initiating the electronic transactionor process;a plurality of verification devices according to any preceding claim;means for transmitting, via a cellular telecommunications network, averification command to a said verification device in response toinitiation of a transaction or process by a said terminal;means for receiving a said response signal via a cellulartelecommunications network; andmeans for performing said transaction or process only if said receivingmeans receives a said response signal.

C. A verification device comprising a cellular telecommunications modemand a biometric sensor coupled to the modem, the verification devicebeing configured for storing first biometric data in an enrolmentprocess and being operable, in response to the modem receiving averification command via a cellular telecommunications network, toperform a verification process in which:

-   (a) the biometric sensor obtains second biometric data,-   (b) the first and second biometric data are compared with each    other, and-   (c) in the event of a match between the first and second biometric    data, the modem transmits a response signal to a predetermined    destination via the telecommunications network.

D. A cellular telecommunications device comprising a modem and a powersupply circuit, said power supply circuit including a current boosterwhich is rendered operable in response to the modem searching for a basestation and inoperable when the modem is in communication with a basestation, so that additional current is supplied to the modem whensearching for a base station.

E. An identity verification device comprising a biometric sensor and acellular telecommunications device according to clause D, theverification device being operable for performing identity verificationoperations utilising the biometric sensor in response to receipt of averification command via a cellular telecommunications network.

F. A cellular telecommunications device comprising a modem and a powersupply circuit, said power supply circuit including terminals forconnection to a battery, a modem status detection circuit for detectingwhether the modem is in communication with a base station or issearching for a base station, a current or voltage booster, and aswitching circuit controlled by the detection circuit for switching thecurrent or voltage booster into and out of operation such that thebooster provides additional current to the modem when it is searchingfor a base station.

G. A verification device which incorporates a fingerprint reader and isoperable to perform an encryption process in which an item of electronicinformation is encrypted and stored on the card and a decryption processin which the stored information is decrypted, and in which

-   (a) the encryption is performed by    -   (i) deriving a first fingerprint template from a finger,    -   (ii) storing the first fingerprint template in unencrypted form        in a memory which also contains other data values thereby to        conceal the first fingerprint template,    -   (iii) deriving an encryption key from the first fingerprint        template, and    -   (iv) encrypting said information by any encryption algorithm        which utilises said encryption key;-   (b) and decryption is performed by    -   (i) deriving a second fingerprint template from a finger,    -   (ii) performing a matching process to match the second        fingerprint template with the stored first fingerprint template,    -   (iii) if the matching process is successful, regenerating the        encryption key from the first fingerprint template, and    -   (iv) decrypting the encrypted information utilising the        regenerated encryption key.

H. An electronic process for encrypting and decrypting information inelectronic form in which:

-   (a) encryption is performed by    -   (i) deriving a first fingerprint template from the finger,    -   (ii) storing the first fingerprint template in unencrypted form        in a memory which also contains other data values thereby to        conceal the first fingerprint template,    -   (iii) deriving a encryption key from the first fingerprint        template,    -   (iv) encrypting said information by an encryption algorithm        which utilises said encryption key, and    -   (vi) storing said encrypted information;-   (b) and decryption is performed by    -   (i) deriving a second fingerprint template,    -   (ii) performing a matching process to match the second        fingerprint template with the stored first fingerprint template,    -   (iii) if the matching process is successful, regenerating the        encryption key from the first fingerprint template, and    -   (iv) decrypting the encrypted information utilising the        regenerated encryption key.

1. A network system for performing electronic transactions or processescomprising: (a) terminal apparatus for generating instructions for theperformance of said electronic transactions or processes; (b) at leastone computer remote from the terminal apparatus and for performing theelectronic transactions or processes; (c) a plurality of verificationdevices each comprising a cellular telecommunications modem and abiometric sensor, each verification device for storing first biometricdata in an enrolment process, for performing a verification process inresponse to a verification command received by said modem, and fortransmitting a response signal to a predetermined destination by saidmodem dependent upon the result of the verification process; (d) adatabase for storing data identifying said verification devices; (e) averification command generator for generating verification commands; and(f) a receiver for receiving the response signals; wherein: (g) saidterminal apparatus, independently of said verification devices,generates said instructions and transmits said instructions to said atleast one remote computer via a telecommunications network; (h) said atleast one remote computer in response to receipt of a said instructioncauses said verification command generator to generate a saidverification command; (i) said verification command generator causes theverification command to be transmitted to a said verification devicewhose identity is determined in dependence upon data in the instructionand data in the database; (j) the verification process performed by theverification device comprises obtaining second biometric data from saidbiometric sensor, comparing the first and second biometric data witheach other and, in the event of a match between said first and secondbiometric data, generating a said response signal indicative of saidmatch and transmitting said response signal to said receiver; (k) saidat least one remote computer cannot perform said transaction unless asaid response signal indicating a said match is received by saidreceiver; and (l) said verification command is transmitted to saidverification device and said response signal is transmitted to saidreceiver via a cellular telecommunications network independently of saidterminal apparatus.
 2. A system according to claim 1, including atransmitter for transmitting a system password with said verificationcommand, and wherein each verification device is configured for storinga system password and to perform said verification process only if thestored system password corresponds to the system password received withsaid command.
 3. A system according to claim 1, including memory forstoring a plurality of system passwords each associated with arespective different electronic transaction or process and each fortransmission with a said verification command, and wherein eachverification device is configured for storing a plurality of systempasswords and to perform said verification process only if one of thestored system passwords corresponds to a system password received with asaid verification command.
 4. A system according to claim 1, whereineach verification device is configured for storing a response passwordand is configured to include said response password in the responsesignal.
 5. A system according to claim 1, wherein each verificationdevice is configured for storing a plurality of response passwords andis configured to include a selected one of said response passwords inthe response signal, the selected response password being dependent uponthe origin of the verification command.
 6. A system according to claim3, in which the biometric sensor is a fingerprint sensor and said firstand second biometric data are first and second fingerprint identifyingdata respectively.
 7. A system according to claim 6, wherein eachverification device: (a) is configured for storing a plurality of saidfirst fingerprint identifying data; (b) is configured for performing aplurality of said enrolment processes in respective different ones ofwhich first fingerprint identifying data relating to respectivedifferent fingers may be stored; and (c) is configured for comparing, insaid verification process, the second fingerprint identifying data tosaid plurality of stored first fingerprint identifying data relating tosaid different fingers.
 8. A system according to claim 7, wherein eachverification device: (a) is configured for associating respectivedifferent ones of said plurality of system passwords stored in theverification device with respective different ones of said plurality ofstored first fingerprint identifying data; and (b) is configured forgenerating said response signal only if: (i) the received systempassword corresponds to one of the system passwords stored in theverification device, and (ii) the second fingerprint identifying datathat is obtained in the verification process matches the stored firstfingerprint identifying data that is associated with said one systempassword.
 9. A system according to claim 8, wherein each verificationdevice is configured for storing a plurality of response passwords eachassociated with a respective said system password and is operable toinclude the associated response password in the response signal.
 10. Asystem according to claim 6, in which (a) the enrolment processcomprises (i) deriving a first fingerprint template from a finger, (ii)storing the first fingerprint template in unencrypted form in a memorywhich also contains other data values thereby to conceal the firstfingerprint template, (iii) deriving an encryption key from the firstfingerprint template, (iv) encrypting an item of information by anencryption algorithm which utilises said encryption key, and (v) storingsaid encrypted item of information; (b) and said verification processcomprises (i) deriving a second fingerprint template from a finger, (ii)performing a matching process to match the second fingerprint templatewith the stored first fingerprint template, (iii) if the matchingprocess is successful, regenerating the encryption key from the firstfingerprint template, and (iv) decrypting the encrypted item ofinformation utilising the regenerated encryption key.
 11. A systemaccording to claim 10, wherein said item of information comprises theunencrypted template.
 12. A system according to claim 1, including atransmitter for transmitting a system password with said verificationcommand, and wherein each verification device is configured for storinga system password and to perform said verification process only if thestored system password corresponds to the system password received withsaid command, wherein the biometric sensor is a fingerprint sensor andsaid first and second biometric data are first and second fingerprintidentifying data respectively, wherein (a) the enrolment processcomprises (i) deriving a first fingerprint template from a finger, (ii)storing the first fingerprint template in unencrypted form in a memorywhich also contains other data values thereby to conceal the firstfingerprint template, (iii) deriving an encryption key from the firstfingerprint template, (iv) encrypting an item of information by anencryption algorithm which utilises said encryption key, and (v) storingsaid encrypted item of information; (b) and said verification processcomprises (i) deriving a second fingerprint template from a finger, (ii)performing a matching process to match the second fingerprint templatewith the stored first fingerprint template, (iii) if the matchingprocess is successful, regenerating the encryption key from the firstfingerprint template, and (iv) decrypting the encrypted item ofinformation utilising the regenerated encryption key, and wherein theitem of information comprises the or each system password.
 13. A systemaccording to claim 1, wherein each verification device is configured forstoring a response password and is configured to include said responsepassword in the response signal, wherein the biometric sensor is afingerprint sensor and said first and second biometric data are firstand second fingerprint identifying data respectively, wherein (a) theenrolment process comprises (i) deriving a first fingerprint templatefrom a finger, (ii) storing the first fingerprint template inunencrypted form in a memory which also contains other data valuesthereby to conceal the first fingerprint template, (iii) deriving anencryption key from the first fingerprint template, (iv) encrypting anitem of information by an encryption algorithm which utilises saidencryption key, and (v) storing said encrypted item of information; (b)and said verification process comprises (i) deriving a secondfingerprint template from a finger, (ii) performing a matching processto match the second fingerprint template with the stored firstfingerprint template, (iii) if the matching process is successful,regenerating the encryption key from the first fingerprint template, and(iv) decrypting the encrypted item of information utilising theregenerated encryption key, and wherein the item of informationcomprises the or each response password.
 14. A system according to claim11, wherein the or each item of information includes further informationadditional to the system or response password.
 15. A system according toclaim 10, wherein said other data comprises random or pseudorandomnumbers.
 16. A system according to claim 10, wherein the or each firstfingerprint template is broken up into components which are stored indisparate locations in said memory.
 17. A system according to claim 1,wherein one or more of said terminals comprises a card reader forinitiating the electronic transaction or process in relation to asmartcard.
 18. A system according to claim 1, wherein one or more ofsaid terminals comprises a tag reader for electronically reading a tagand initiating the electronic transaction or process.
 19. A systemaccording to claim 1, wherein one or more of said terminals is arrangedto initiate said electronic transaction or process in response to entryinto said terminal of data relating to a smartcard.
 20. A systemaccording to claim 1, in which each verification device includes adigital signal processor coupled to the biometric sensor for processingsignals therefrom, the modem being operable to activate the digitalsignal processor for the performance of a biometric scan in response toreceipt of the verification command.
 21. A system according to claim 1,wherein each verification command is in an SMS text message.
 22. Asystem according to claim 1, wherein each response signal is in an SMStext message.
 23. A system according to claim 1, having a plurality ofsaid verification devices each constructed in the form of a card.
 24. Asystem according to claim 23, in which the dimensions of the card are nomore than 100 mm×60 mm×5 mm.
 25. A system according to claim 23, inwhich the dimensions of the card are 85 mm×54 mm×3.5 mm.
 26. A systemaccording to claim 23, wherein the card has a power supply circuit whichincludes a current booster which is rendered operable in response to themodem searching for a base station and inoperable when the modem is incommunication with a base station, so that additional current issupplied to the modem when searching for a base station.
 27. A systemaccording to claim 26, in which the modem has a status contact whosevoltage changes dependent upon whether the modem is searching for or isin communication with a base station, and in which a sensing circuit isoperable to sense the voltage on the status contact and to render thecurrent booster operable or inoperable dependent upon the sensedvoltage.
 28. A system according to claim 27, in which the currentbooster is powered from the status contact.
 29. A system according toclaim 26, in which the current booster comprises a voltage converter.30. A system according to claim 26, including a battery for powering theverification device, said battery having a rating of approximately 3.2or 3.5 V and 200 mA hours.
 31. A system according to claim 1, includinga said verification device in the form of a smart phone or tabletcomputer.